Vulnerability Note VU#823971
Microsoft Internet Explorer contains a Channel Definition Format (CDF) cross-domain vulnerability
Microsoft Internet Explorer contains a vulnerability that may allow unintended information disclosure or remote code execution due to a flaw in handling Channel Definition Format (CDF) files.
From the Microsoft Channel Definition Format description:
An attacker may be able to exploit the flaw in CDF file handling to execute code in the Local Machine Zone.
Channel Definition Format (CDF) files can be used to organize a set of related Web pages into a logical hierarchy. A channel is a Web site described by a Channel Definition Format (CDF) file. The CDF file defines a hierarchy of the pages that are included in the channel. Besides defining the resources in the channel, the CDF file also specifies how each item will be used or displayed, and when the channel should be updated. For more information about CDF files, see the product documentation.
A remote attacker may be able to execute arbitrary code or access otherwise restricted information by crafting a malicious web page, then convincing a user to visit it by clicking on a link or email. The code would execute with the privileges of the user running Internet Explorer.
Install Windows XP Service Pack 2 (SP2)
Microsoft Windows XP SP2 includes a feature called Local Machine Zone Lockdown, as well as other improvements. The Local Machine Zone Lockdown prevents Internet Explorer and several other programs from evaluating script in the Local Machine Zone. While this does not remove the vulnerability, it does help prevent an attacker from executing script in the Local Machine Zone.
Read and send email in plain text format
Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured to view email messages in text format. Consider the security of fellow Internet users and send email in plain text format when possible. Note that reading and sending email in plain text will not necessarily prevent exploitation of this vulnerability.
Do not follow unsolicited links
In order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.
Use a different web browser
There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented in operating system libraries that are used by IE and many other programs to provide web browser functionality. IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.
It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when viewing untrusted HTML documents (e.g., web sites, HTML email messages). Such a decision may, however, reduce the functionality of sites that require IE-specific features such as proprietary DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control (WebOC), or the HTML rendering engine (MSHTML).
If you are a vendor and your product is affected, let
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||08 Feb 2005||08 Feb 2005|
Thanks to the Microsoft Corporation for reporting this vulnerability.
This document was written by Ken MacInnis based primarily on information provided by the Microsoft Corporation.
08 Feb 2005
Date First Published:
08 Feb 2005
Date Last Updated:
09 Feb 2005
If you have feedback, comments, or additional information about this vulnerability, please send us email.